contact

webmaster at gonscak dot sk

How to configure Capsman

Today, I meet with a challenge. I need to set up good and working Wifi network over the building. I need to use sixteen access points (AP). My previous configurations was simple deployment of this access points with laborious configuration of each AP. And there were many channels, and things, that I must configure.

So I create centralized Access Point management setup for office environment that is scalable to many Access Point. This can be done by setting up Controlled Access Point system Manager (CAPsMAN) on your router and connecting Controlled Access Points (CAPs) to it. I have two bands: 2,4GHz and 5GHz. Everything with one SSID. I use this howto:

https://wiki.mikrotik.com/wiki/Manual:Simple_CAPsMAN_setup

As CAPSMAN I used powerfull hardware: MikroTik CCR1009-7G-1C-1S+. As CAPs I will use HAP AC – dual band wifi AP.

I assume, that you have some skills with Mikrotiks and configuration. So I will use only terminal commands in this post with explanation.

So, lets begin.

Assume, that we have default VLAN 600, with no DHCP and now internet connection. Its dummy vlan, lead to nowhere. Than we have more 3 VLANs. One vlan is management (3), one si for guests (4) and one for employees (5). Routing between this vlans provides linux router beyond our scope here. We used:

192.168.1.0/24 – management vlan ID 3

192.168.2.0/24 – management vlan ID 4

192.168.3.0/24 – management vlan ID 5

Create a Bond with four links, to high bandwidth, with default vlan 600:

Now, we can configure our first CAP. This happened only once. Any WIFI setting will be configured via CAPSMAN itself. So I set CAPs up for using, accessing and sending data only via management vlan (vlan id = 3). Every traffic will be forwarded to the CAPSMAN.

Now, we download our CA public certificate from our CAPSMAN, import it. Then we create a local certificate, and send it as template to Scep server running on CAPSMAN. Then we must manually approve this template, and it will be signed by our previously created CA certificate on CAPSMAN. And this signed certificate will by user for encrypted communication between CAPs and CAPSMAN. This step must by manually set for each CAP separately.

And finally, we set this on CAPSMAN for provision radio setting to CAP1, or next CAP2…We can limit these for MAC address of CAP1. This my setting allow to connect any CAP with certificate, that has been previously granted.